The TL;DR version is that the GDPR says that users have complete control over their data, and you have to tell them why you need it. At which point, they can give the go-ahead or not. Practically, however, it’s a little more complicated than that.”